sakaiantisamy

How do I modify the Sakai installation's AntiSamy policy files?


I would like to modify a deployed installation of Sakai to allow iframes from several on-campus media servers. An example of an iframe is https://mediaserver.example.edu/p/player.html. What is the easiest way to edit the policy files in the deployed Tomcat?


Solution

  • Antisamy is an open source API and html scanner and cleaner. Sakai 2.9 or higher uses this as a part of it's security suite to protect users from XSS (Cross Site Scripting) attacks caused by malicious user created markup.

    Sakai includes a default set of configurations which are community tested and will likely meet most users needs. These include a low and high security option (high is the default). To force Sakai to use the low security setting you can add a Sakai configuration property as shown below (setting this to false will default to high security):

    content.cleaner.default.low.security=true
    

    The primary difference between the high and low settings is the blocking of unknown sites for external content (like vidoes or iframes). High only allows a limited list of trusted sites. Low allows content from any site. Both have extensive rules for protecting against javascript related injection attacks.

    The Antisamy configuration files are XML based (see the Antisamy developer guide for more details). The standard high and low security files are located in the Sakai source code under "kernel/sakai-kernel-impl/src/main/resources/antisamy/". These can be used as a basis for a locally customized version. To override the included files, simple place a custom version in the Sakai home directory (typically TOMCAT_HOME/sakai), for example:

    ${sakai.home}/antisamy/high-security-policy.xml
    ${sakai.home}/antisamy/low-security-policy.xml
    

    For your specific use case, you would probably modify the following section (near the top of the xml file) as indicated in the comment:

    <!-- SAKAI customized trusted sites listing:
        This is where we specify what Flash/embed/iframe src to allow 
        To add a new host/site to this list:
        Find this in the flashSites below: ...(download\.macromedia\.com/pub|... 
        Add in your site (e.g. "new.site.host.com/path": with escaped ".": "new\.site\.host\.com/path|"
        Like shown here: (new\.site\.host\.com/path|download\.macromedia\.com/pub|
    -->
    <regexp name="flashSites" ...